A new report by security researchers has revealed how Zendesk’s platform can be exploited to facilitate phishing attacks and investment scams, such as romance baiting schemes.

The findings emphasize social engineering vulnerabilities that could allow malicious actors to impersonate trusted companies and put users at risk of data theft and financial loss.

CloudSEK’s analysis, published on January 20, shows that Zendesk’s system, which allows users to register free subdomains during trial sign-ups, can be manipulated to create URLs resembling legitimate companies. Attackers can then use these subdomains to deliver phishing emails disguised as customer support tickets or other legitimate interactions.

The security firm said that since 2023, it had identified 1912 instances of Zendesk subdomains matching client keywords.

The report highlights that while many instances serve legitimate purposes, some are being registered for malicious activities, including impersonation and scams. Common tactics include using keywords tied to the target brand along with numeric strings to appear authentic.

Zendesk does not verify email addresses for added users, making it possible for attackers to send phishing emails to both corporate and personal accounts.

Additionally, emails from Zendesk subdomains often bypass spam filters and land directly in primary inboxes. This increases the likelihood of victim engagement. Attackers can also customize Zendesk’s Help Center pages to mimic actual companies, further enhancing the authenticity of phishing schemes.

Risk Mitigation Recommendations

The report warns of significant risks, including unauthorized access to sensitive customer data, financial losses from fraudulent schemes and compliance issues if customer data is exposed.

To mitigate these risks, CloudSEK advises:

Blacklisting unfamiliar Zendesk subdomains

Leveraging Fake URL and Phishing detection security solutions for proactive detection and takedown

Conducting regular employee training on phishing awareness

CloudSEK has disclosed these findings to Zendesk and recommended measures to address the vulnerabilities.

While no active campaigns have been observed using this method, organizations are urged to act preemptively to safeguard their operations and customers.